The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI recently issued an advisory regarding Phobos ransomware, highlighting attack techniques used by threat actors to target the public sector. The report mentions the top three ways attackers gather intelligence: finding information about victims to create victim profiles, scanning vulnerable Remote Desktop Protocol ports, and phishing users. to access the vulnerable RDP port.
Once reconnaissance is complete, the threat actor accesses the target environment using valid accounts (threat actors exploit user credentials to infiltrate organizations), external remote services (services exposed to the Internet), and external remote services (services exposed to the Internet). ), and gain initial access to the victim's environment through phishing attachments (using phishing scams). The attack is carried out using email attachments).
What do these reconnaissance and initial access methods have in common? Social engineering. Whether it's by installing a malicious attachment, abusing the RDP port (perhaps using harvested or purchased credentials), or using a valid account (79% of credentials are stolen using phishing). However, social engineering remains the most common root cause of all initial access methods.
And it's not just Phobos. If you look at supply chain incidents of ransomware attacks or business email compromises, social engineering is evident in all of them.
What Almost Everyone Gets Misunderstood About Cybersecurity
Looking at the Phobos advisory, CISA lists 20 controls to mitigate ransomware attacks. These recommended mitigations suggest technical controls that do nothing to address the core root causes behind 80-95% of all attacks. The only technical control that addresses social engineering: Phishing-resistant multi-factor authentication (MFA) – number 13 on a list of 20 controls.
So can phishing-resistant MFA stop Phobos attacks? Probably not. That's because Phobos uses a combination of phishing and malicious attachments to infiltrate organizations. Once a user is tricked into running malware, it's usually game over. Phishing-resistant MFA may block some Remote Desktop Protocol (RDP) and valid account-based attacks, but if the attacker persists and has already penetrated the victim's environment. You probably don't need RDP or a valid account anymore.
Similarly, the majority of cyber regulations, frameworks, and compliance standards, such as HIPAA, GDPR, SOX, and PCI-DSS, place less emphasis on social engineering. While technical controls such as firewalls, encryption, and backup and recovery get a lot of attention, social engineering is rarely mentioned. Security teams are no different, investing billions of dollars in cybersecurity technology each year, but failing to address social engineering, the leading cause of successful cyber intrusions.
The need to prioritize threats and mitigation
Existing cybersecurity strategies often treat threats like champagne bubbles, assuming they are all the same size and require separate methods to manage the problem. But this view lacks vision. Some threats, such as social engineering and unpatched software, can be very large. These major threats stem from a single powerful source: human error.
Security agencies, regulators, and cybersecurity teams need to move away from a one-size-fits-all view of threats and mitigations. You need to prioritize. Focusing on addressing the root causes behind social engineering attacks can be more effective than treating each type of threat equally. This means shifting focus to efforts to change the way employees think, behave and are exposed to cyber threats.
Best practices for mitigating social engineering
Here are some practices to help mitigate the biggest threats in cybersecurity.
- Focus on high-priority threats. Avoid spending time, money, and resources on threats that are unlikely to occur. Instead, focus on the biggest and most common ones, such as social engineering, unpatched software, exposed devices and ports, and improper password use and reuse. Remember that ransomware is a symptom and human error, revealed through social engineering operations, is the root cause.
- Strengthen security behaviors and culture. Employees are your last defense against social engineering scams. Social engineering attacks can be significantly reduced if organizations focus on training their personnel and improving their security acumen. Phishing simulation programs and regular training exercises can improve your security instincts and best practices.
- Reduce your online exposure: Use OSINT tools to research vulnerabilities online for your organization and its employees. This can include everything from open ports to unpatched devices to compromised credentials to exposed mobile phone numbers. Attackers can easily weaponize such information and build targeted social engineering attacks, reducing a company's exposure to these items. Teach your employees to be cautious and conservative when posting online.
Social engineering attacks remain a persistent threat, especially as popular AI tools create new ways to manipulate them. News headlines are full of large companies falling victim to cyber fraud despite the widespread use of cybersecurity defenses. Staying ahead of evolving threats requires awareness of social engineering scams through education and training.
Without a doubt, the industry will improve. His CISA's latest guidance on the nation-state criminal organization Bolt Typhoon highlights continued cybersecurity training and skills development as a critical action for business leaders. If the security industry followed suit and prioritized training, we would definitely see a reduction in scams, scams, and cyber-attacks around the world.
Stu Sjouwerman, Founder and CEO of KnowBe4
